Analysis Overview
SHA256
66eecf0cc3f1f10afdb8b2aae855a0bfba0f47dfa1c354d61609614677539270
Threat Level: Shows suspicious behavior
The file 2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop was found to be: Shows suspicious behavior.
Malicious Activity Summary
System Binary Proxy Execution: Rundll32
Checks computer location settings
Adds Run key to start application
Checks for any installed AV software in registry
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Views/modifies file attributes
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-07-02 18:52
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-07-02 18:52
Reported
2025-07-02 18:55
Platform
win10v2004-20250619-en
Max time kernel
150s
Max time network
143s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe | N/A |
System Binary Proxy Execution: Rundll32
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IntelPowerAgent5 = "rundll32.exe shell32.dll, ShellExec_RunDLL C:\\PROGRA~3\\BB40JF~1.EXE" | C:\Windows\SysWOW64\backgroundTaskHost.exe | N/A |
Checks for any installed AV software in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Software\WOW6432Node\Avira | C:\Windows\SysWOW64\backgroundTaskHost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Software\WOW6432Node\AVAST Software\Avast | C:\Windows\SysWOW64\backgroundTaskHost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Software\WOW6432Node\Eset\Nod | C:\Windows\SysWOW64\backgroundTaskHost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4536 set thread context of 4904 | N/A | C:\Users\Admin\AppData\Local\Temp\2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe | C:\Windows\SysWOW64\backgroundTaskHost.exe |
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\backgroundTaskHost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe
"C:\Users\Admin\AppData\Local\Temp\2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe"
C:\Windows\SysWOW64\backgroundTaskHost.exe
"backgroundTaskHost.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe shell32.dll, ShellExec_RunDLL C:\PROGRA~3\BB40JF~1.EXE
C:\Windows\system32\rundll32.exe
rundll32.exe shell32.dll, ShellExec_RunDLL C:\PROGRA~3\BB40JF~1.EXE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\cbkAC2F.tmp.bat" "C:\Users\Admin\AppData\Local\Temp\2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe""
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4536 -ip 4536
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 1892
C:\Windows\SysWOW64\attrib.exe
attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4536 -ip 4536
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 1808
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | download.windowsupdate.com | udp |
| GB | 2.22.144.73:80 | download.windowsupdate.com | tcp |
| GB | 2.22.144.73:80 | download.windowsupdate.com | tcp |
| US | 8.8.8.8:53 | eboduftazce-ru.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.179.227:80 | c.pki.goog | tcp |
Files
memory/4536-0-0x0000000000590000-0x0000000000591000-memory.dmp
memory/4536-1-0x0000000000400000-0x0000000000466000-memory.dmp
memory/4536-3-0x0000000000590000-0x00000000005A0000-memory.dmp
memory/4904-6-0x0000000000EB0000-0x0000000000EB1000-memory.dmp
memory/4536-8-0x0000000000400000-0x0000000000466000-memory.dmp
memory/4904-9-0x0000000001040000-0x00000000010AA000-memory.dmp
memory/4904-291-0x0000000001040000-0x00000000010AA000-memory.dmp
memory/4904-296-0x0000000001040000-0x00000000010AA000-memory.dmp
memory/4904-300-0x0000000001040000-0x00000000010AA000-memory.dmp
memory/4904-306-0x0000000001040000-0x00000000010AA000-memory.dmp
memory/4904-357-0x0000000001040000-0x00000000010AA000-memory.dmp
memory/4904-302-0x0000000001040000-0x00000000010AA000-memory.dmp
C:\ProgramData\bb40jf006b.exe
| MD5 | 5b8abe944f40f709073958ec2d27cdbd |
| SHA1 | d7541161489736c2226ecf20c913d36cca68a5d2 |
| SHA256 | 2e630fcefe098c4b9a51614d21bdb941fb728cfc93fcab008a46f550849cca6c |
| SHA512 | f0a405f45ec4c07fcfffbf5f68444e082ebde62de66ccad9f24e0284add292250e517f0bedbc2411bb2d6f275e91dbf1d0115e7fe40d82b574579c610579a7d5 |
C:\Users\Admin\AppData\Local\Temp\3492473cd35c8bdceed8
| MD5 | c532d94f86a9943fe0581e6aa06a7b43 |
| SHA1 | 185af6b1eaa5eb1821596ac720f2842dc148162f |
| SHA256 | d4082b14b44ff3c73811a3e8577dcd9c5af72cfd1a55b609684253a51cb7b8f4 |
| SHA512 | e631df6229718c3162afa89aad952bf8a1bac87d913c36eb4b5cf7345c6c934c34b74a86adb95285b933d29ef5e2d7d677f3b78680e8aa985e39bc688591cca2 |
memory/4904-298-0x0000000001100000-0x0000000001200000-memory.dmp
memory/4904-295-0x0000000001100000-0x0000000001200000-memory.dmp
C:\Users\Admin\AppData\Roaming\cbkAC2F.tmp.bat
| MD5 | 4aaadb8274333377662df7a6e844333d |
| SHA1 | 3f06b501e51b4e0c12947d7d70b5973584e8506d |
| SHA256 | f0c092a72d9958b28d646f485c8ce5a138a45748daae1a55fa5a8e041b5aaa7d |
| SHA512 | 348ad7cb9195e91e443acbbca0eb2715436514950247be4048738c1d0eba05364b7e809ee875da671d423c60ee2a6c3dff751fd8b54934ab2380a6474f2f6d37 |
memory/4536-433-0x0000000000400000-0x0000000000466000-memory.dmp
memory/4904-435-0x0000000001040000-0x00000000010AA000-memory.dmp
memory/4904-450-0x00000000012C0000-0x00000000012C1000-memory.dmp
memory/4904-464-0x0000000001100000-0x0000000001200000-memory.dmp
memory/4904-467-0x0000000001100000-0x0000000001200000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-07-02 18:52
Reported
2025-07-02 18:55
Platform
win11-20250610-en
Max time kernel
149s
Max time network
135s
Command Line
Signatures
System Binary Proxy Execution: Rundll32
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Windows\CurrentVersion\Run\IntelPowerAgent5 = "rundll32.exe shell32.dll, ShellExec_RunDLL C:\\PROGRA~3\\D00840~1.EXE" | C:\Windows\SysWOW64\backgroundTaskHost.exe | N/A |
Checks for any installed AV software in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Software\WOW6432Node\Avira | C:\Windows\SysWOW64\backgroundTaskHost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Software\WOW6432Node\AVAST Software\Avast | C:\Windows\SysWOW64\backgroundTaskHost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Software\WOW6432Node\Eset\Nod | C:\Windows\SysWOW64\backgroundTaskHost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2692 set thread context of 5160 | N/A | C:\Users\Admin\AppData\Local\Temp\2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe | C:\Windows\SysWOW64\backgroundTaskHost.exe |
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\backgroundTaskHost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe
"C:\Users\Admin\AppData\Local\Temp\2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe"
C:\Windows\SysWOW64\backgroundTaskHost.exe
"backgroundTaskHost.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe shell32.dll, ShellExec_RunDLL C:\PROGRA~3\D00840~1.EXE
C:\Windows\system32\rundll32.exe
rundll32.exe shell32.dll, ShellExec_RunDLL C:\PROGRA~3\D00840~1.EXE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\jqrB870.tmp.bat" "C:\Users\Admin\AppData\Local\Temp\2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe""
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2692 -ip 2692
C:\Windows\SysWOW64\attrib.exe
attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\2025-07-02_d1d467f957fb112f8d7b919f352179a4_amadey_elex_gcleaner_rhadamanthys_smoke-loader_stop.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 2144
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2692 -ip 2692
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 1880
Network
| Country | Destination | Domain | Proto |
| GB | 84.201.209.107:80 | download.windowsupdate.com | tcp |
| GB | 84.201.209.107:80 | download.windowsupdate.com | tcp |
| GB | 142.250.179.227:80 | c.pki.goog | tcp |
| US | 52.111.229.19:443 | tcp |
Files
memory/2692-0-0x00000000009C0000-0x00000000009C1000-memory.dmp
memory/2692-1-0x0000000000400000-0x0000000000466000-memory.dmp
memory/2692-3-0x00000000009C0000-0x00000000009D0000-memory.dmp
memory/5160-8-0x0000000000AB0000-0x0000000000AB1000-memory.dmp
memory/2692-10-0x0000000000400000-0x0000000000466000-memory.dmp
memory/5160-11-0x0000000000EA0000-0x0000000000F0A000-memory.dmp
memory/5160-214-0x0000000000EA0000-0x0000000000F0A000-memory.dmp
memory/5160-294-0x0000000000EA0000-0x0000000000F0A000-memory.dmp
memory/5160-299-0x0000000000EA0000-0x0000000000F0A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3492473cd35c8bdceed8
| MD5 | f21f97f8a2d4cd877b40ddf0bc4b8cc2 |
| SHA1 | 4b11df3f04e5c2f24f929b9192af578b2b117006 |
| SHA256 | e856608ef568a51502199320facd20e203ad8c73fe9653e37116ba9e6526ada2 |
| SHA512 | e53c61d788b76e352fbd823031915fd7861efcb976ee804d895465f116f49a0ef1d2fe2832033f82599ac119be1dd17c9e8f6b06f2505cb99d46e176b21050b6 |
memory/5160-304-0x0000000000EA0000-0x0000000000F0A000-memory.dmp
memory/5160-308-0x0000000000EA0000-0x0000000000F0A000-memory.dmp
C:\ProgramData\d00840f806.exe
| MD5 | aa8f235ce46bc72123b7539d1d77fbb0 |
| SHA1 | d6579f19b10f713e2cafe414f6808f9b0664e3f1 |
| SHA256 | 5495466879c83c95a8d5cff6984c376ac6009a54cd5f222bc8a053987de66003 |
| SHA512 | beafaa9be9c97cce71b9365d6167751b6b9aeb7872de41c7c8b27ba7fec29b597a582adbec505f2ac8b94f256c1ff81eaca4995773459e7bd9635ee5a93d17ef |
memory/5160-359-0x0000000000EA0000-0x0000000000F0A000-memory.dmp
memory/5160-302-0x0000000000EA0000-0x0000000000F0A000-memory.dmp
memory/5160-406-0x0000000000EA0000-0x0000000000F0A000-memory.dmp
memory/5160-296-0x0000000000DA0000-0x0000000000EA0000-memory.dmp
C:\Users\Admin\jqrB870.tmp.bat
| MD5 | e02ad012d25f1f7bffb7d00fe94dcb7c |
| SHA1 | c7b6a2804c49f3aae77adc365d8a46f23fbc270c |
| SHA256 | 6b3eca04842e04df63ec2196bfae0af76d47240a2cbf540a8e4339c55f1200f8 |
| SHA512 | aaf9b5bd3d0c9932490c79d99eedd8a9f62e479c8db30cb2606a1e4b8aed4dd22cb2ec999fa3e9a68c818f564cf64f97559469ff00b82e7561d83e001e40d5f5 |
memory/2692-426-0x0000000000400000-0x0000000000466000-memory.dmp
memory/5160-427-0x0000000000EA0000-0x0000000000F0A000-memory.dmp
memory/5160-448-0x0000000000DA0000-0x0000000000EA0000-memory.dmp